| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "sandbox/win/src/window.h" | |
| 6 | |
| 7 #include <aclapi.h> | |
| 8 | |
| 9 #include "base/logging.h" | |
| 10 #include "base/memory/scoped_ptr.h" | |
| 11 #include "sandbox/win/src/acl.h" | |
| 12 #include "sandbox/win/src/sid.h" | |
| 13 | |
| 14 namespace { | |
| 15 | |
| 16 // Gets the security attributes of a window object referenced by |handle|. The | |
| 17 // lpSecurityDescriptor member of the SECURITY_ATTRIBUTES parameter returned | |
| 18 // must be freed using LocalFree by the caller. | |
| 19 bool GetSecurityAttributes(HANDLE handle, SECURITY_ATTRIBUTES* attributes) { | |
| 20 attributes->bInheritHandle = FALSE; | |
| 21 attributes->nLength = sizeof(SECURITY_ATTRIBUTES); | |
| 22 | |
| 23 PACL dacl = NULL; | |
| 24 DWORD result = ::GetSecurityInfo(handle, SE_WINDOW_OBJECT, | |
| 25 DACL_SECURITY_INFORMATION, NULL, NULL, &dacl, | |
| 26 NULL, &attributes->lpSecurityDescriptor); | |
| 27 if (ERROR_SUCCESS == result) | |
| 28 return true; | |
| 29 | |
| 30 return false; | |
| 31 } | |
| 32 | |
| 33 } | |
| 34 | |
| 35 namespace sandbox { | |
| 36 | |
| 37 ResultCode CreateAltWindowStation(HWINSTA* winsta) { | |
| 38 // Get the security attributes from the current window station; we will | |
| 39 // use this as the base security attributes for the new window station. | |
| 40 SECURITY_ATTRIBUTES attributes = {0}; | |
| 41 if (!GetSecurityAttributes(::GetProcessWindowStation(), &attributes)) { | |
| 42 return SBOX_ERROR_CANNOT_CREATE_WINSTATION; | |
| 43 } | |
| 44 | |
| 45 // Create the window station using NULL for the name to ask the os to | |
| 46 // generate it. | |
| 47 *winsta = ::CreateWindowStationW( | |
| 48 NULL, 0, GENERIC_READ | WINSTA_CREATEDESKTOP, &attributes); | |
| 49 LocalFree(attributes.lpSecurityDescriptor); | |
| 50 | |
| 51 if (*winsta) | |
| 52 return SBOX_ALL_OK; | |
| 53 | |
| 54 return SBOX_ERROR_CANNOT_CREATE_WINSTATION; | |
| 55 } | |
| 56 | |
| 57 ResultCode CreateAltDesktop(HWINSTA winsta, HDESK* desktop) { | |
| 58 base::string16 desktop_name = L"sbox_alternate_desktop_"; | |
| 59 | |
| 60 // Append the current PID to the desktop name. | |
| 61 wchar_t buffer[16]; | |
| 62 _snwprintf_s(buffer, sizeof(buffer) / sizeof(wchar_t), L"0x%X", | |
| 63 ::GetCurrentProcessId()); | |
| 64 desktop_name += buffer; | |
| 65 | |
| 66 // Get the security attributes from the current desktop, we will use this as | |
| 67 // the base security attributes for the new desktop. | |
| 68 SECURITY_ATTRIBUTES attributes = {0}; | |
| 69 if (!GetSecurityAttributes(GetThreadDesktop(GetCurrentThreadId()), | |
| 70 &attributes)) { | |
| 71 return SBOX_ERROR_CANNOT_CREATE_DESKTOP; | |
| 72 } | |
| 73 | |
| 74 // Back up the current window station, in case we need to switch it. | |
| 75 HWINSTA current_winsta = ::GetProcessWindowStation(); | |
| 76 | |
| 77 if (winsta) { | |
| 78 // We need to switch to the alternate window station before creating the | |
| 79 // desktop. | |
| 80 if (!::SetProcessWindowStation(winsta)) { | |
| 81 ::LocalFree(attributes.lpSecurityDescriptor); | |
| 82 return SBOX_ERROR_CANNOT_CREATE_DESKTOP; | |
| 83 } | |
| 84 } | |
| 85 | |
| 86 // Create the destkop. | |
| 87 *desktop = ::CreateDesktop(desktop_name.c_str(), | |
| 88 NULL, | |
| 89 NULL, | |
| 90 0, | |
| 91 DESKTOP_CREATEWINDOW | DESKTOP_READOBJECTS | | |
| 92 READ_CONTROL | WRITE_DAC | WRITE_OWNER, | |
| 93 &attributes); | |
| 94 ::LocalFree(attributes.lpSecurityDescriptor); | |
| 95 | |
| 96 if (winsta) { | |
| 97 // Revert to the right window station. | |
| 98 if (!::SetProcessWindowStation(current_winsta)) { | |
| 99 return SBOX_ERROR_FAILED_TO_SWITCH_BACK_WINSTATION; | |
| 100 } | |
| 101 } | |
| 102 | |
| 103 if (*desktop) { | |
| 104 // Replace the DACL on the new Desktop with a reduced privilege version. | |
| 105 // We can soft fail on this for now, as it's just an extra mitigation. | |
| 106 static const ACCESS_MASK kDesktopDenyMask = WRITE_DAC | WRITE_OWNER | | |
| 107 DELETE | | |
| 108 DESKTOP_CREATEMENU | | |
| 109 DESKTOP_CREATEWINDOW | | |
| 110 DESKTOP_HOOKCONTROL | | |
| 111 DESKTOP_JOURNALPLAYBACK | | |
| 112 DESKTOP_JOURNALRECORD | | |
| 113 DESKTOP_SWITCHDESKTOP; | |
| 114 AddKnownSidToObject(*desktop, SE_WINDOW_OBJECT, Sid(WinRestrictedCodeSid), | |
| 115 DENY_ACCESS, kDesktopDenyMask); | |
| 116 return SBOX_ALL_OK; | |
| 117 } | |
| 118 | |
| 119 return SBOX_ERROR_CANNOT_CREATE_DESKTOP; | |
| 120 } | |
| 121 | |
| 122 base::string16 GetWindowObjectName(HANDLE handle) { | |
| 123 // Get the size of the name. | |
| 124 DWORD size = 0; | |
| 125 ::GetUserObjectInformation(handle, UOI_NAME, NULL, 0, &size); | |
| 126 | |
| 127 if (!size) { | |
| 128 NOTREACHED(); | |
| 129 return base::string16(); | |
| 130 } | |
| 131 | |
| 132 // Create the buffer that will hold the name. | |
| 133 scoped_ptr<wchar_t[]> name_buffer(new wchar_t[size]); | |
| 134 | |
| 135 // Query the name of the object. | |
| 136 if (!::GetUserObjectInformation(handle, UOI_NAME, name_buffer.get(), size, | |
| 137 &size)) { | |
| 138 NOTREACHED(); | |
| 139 return base::string16(); | |
| 140 } | |
| 141 | |
| 142 return base::string16(name_buffer.get()); | |
| 143 } | |
| 144 | |
| 145 base::string16 GetFullDesktopName(HWINSTA winsta, HDESK desktop) { | |
| 146 if (!desktop) { | |
| 147 NOTREACHED(); | |
| 148 return base::string16(); | |
| 149 } | |
| 150 | |
| 151 base::string16 name; | |
| 152 if (winsta) { | |
| 153 name = GetWindowObjectName(winsta); | |
| 154 name += L'\\'; | |
| 155 } | |
| 156 | |
| 157 name += GetWindowObjectName(desktop); | |
| 158 return name; | |
| 159 } | |
| 160 | |
| 161 } // namespace sandbox | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1851213002:
Remove sandbox on Windows. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master